wiki:tpm

Version 5 (modified by Ryan Erbstoesser, 10 months ago) ( diff )

add PCR values

Trusted Protection Module

  1. Trusted Protection Module
    1. PCR Values
    2. Clearing the TPM

Gateworks has an optional TPM on some SBCs.

The below models can optionally have it loaded:

  • Malibu GW8901
  • Venice:
    • GW74xx-B
    • GW73xx-F
    • GW72xx-F
    • GW71xx-E

The boards can contain an onboard Microchip ATTPM20P-H6MA1-10 TPM connected to the SPI bus.

This is compliant to the Trusted Computing Group (TCG) Trusted Platform Module (TPM) Version 2.0, r116 Trusted Platform Module Library. See link here: Link

Cryptographic Support for:

  • HMAC
  • AES-128
  • SHA-1
  • SHA-256
  • ECC BN_P256, ECCNIST_P256 -RSA 1024-2048 bit keys

It is controlled via generic TCG SPI Linux driver:

  • drivers/char/tpm/tpm_tis_spi.c: CONFIG_TCG_TIS, CONFIG_TCG_TIS_SPI

TPM 2.0 provides direct access via /dev/tpm0 (with one client at a time), and can be accessed through the tpm2-abrmd resource manager daemon, or kernel-managed access via /dev/tpmrm0

The TPM device is at /dev/tpm0

The TPM tool set (over 100 different commands) can be installed with the following command: 

apt install tpm2-tools tpm2-abrmd

Example tpm2-tools showing the properties: 

root@jammy-malibu:~# tpm2_getcap properties-fixed
TPM2_PT_FAMILY_INDICATOR:
  raw: 0x322E3000
  value: "2.0"
TPM2_PT_LEVEL:
  raw: 0
TPM2_PT_REVISION:
  raw: 0x77
  value: 1.19
TPM2_PT_DAY_OF_YEAR:
  raw: 0x42
TPM2_PT_YEAR:
  raw: 0x7DE
TPM2_PT_MANUFACTURER:
  raw: 0x4D434850
  value: "MCHP"
TPM2_PT_VENDOR_STRING_1:
  raw: 0x0
  value: ""
  etc.....

PCR Values

Platform Configuration Registers (PCRs) are registers that represent ‘fingerprints’ of different pieces of a specific system. These pieces can be things such as the bootloader, Linux kernel, and Initramfs. If the stored PCR values in the TPM do not match the currently booting system PCRs, access will not be granted. For example, someone trying to boot a Ubuntu Live CD would not be able to access the TPM key as the PCRs generated from the original disk and stored in the TPM will not match the newly generated PCRs from the boot CD. PCRs use hashing and thus any new value is concatenated with the old and then hashed. This new hash will replace the old hash. The definition of each specific PCR register can be found online.

Read the PCR Values: 

root@jammy-venice:~# tpm2_pcrread
  sha1:
    0 : 0x0000000000000000000000000000000000000000
    1 : 0x0000000000000000000000000000000000000000
    2 : 0x0000000000000000000000000000000000000000
    3 : 0x0000000000000000000000000000000000000000
    4 : 0x0000000000000000000000000000000000000000
    5 : 0x0000000000000000000000000000000000000000
    6 : 0x0000000000000000000000000000000000000000
    7 : 0x0000000000000000000000000000000000000000
    8 : 0x0000000000000000000000000000000000000000
    9 : 0x0000000000000000000000000000000000000000
    10: 0x0000000000000000000000000000000000000000
    11: 0x0000000000000000000000000000000000000000
    12: 0x0000000000000000000000000000000000000000
    13: 0x0000000000000000000000000000000000000000
    14: 0x0000000000000000000000000000000000000000
    15: 0x0000000000000000000000000000000000000000
    16: 0x0000000000000000000000000000000000000000
    17: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    18: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    19: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    20: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    21: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    22: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    23: 0x0000000000000000000000000000000000000000
  sha256:

Clearing the TPM

Only do this if you need to clear the TPM 

tpm2_clear
Note: See TracWiki for help on using the wiki.